Configure OpenVPN like Hamachi (not tunnel to Internet)

[beagle72]

Hi,

I hope I can explain this clearly. I currently have a VPS running OpenVPN. I am not an expert at this but I configured it following various online tutorials, and it works. I can connect to the VPN from various devices. Network services are tunneled through the VPS to the Internet. Cool.

I have been playing with Hamachi. Installing the Hamachi client on various machines, they can see each other as a virtual LAN. Share files, intranet services, etc. But each machine is using its own outgoing Internet connection -- services to the Internet are not being tunneled from Hamachi.

I want to setup something like this using OpenVPN. In other words, for multiple devices running the OpenVPN client connected the OpenVPN server to be connected as a virtual LAN but NOT route Internet activity by tunneling through the server. For one thing, that is too slow. When I am on my home broadband I don't want or need to tunnel through the VPN to the Internet, but I do want to be on a virtual LAN with other machines connected to my server from other locations.

Any clues or advice how to configure OpenVPN in this way? Ideally I'd like to be able to switch between both scenarios as needed (with and without tunneling to Internet).

thanks!

[maikcat]

hi there,

this is a very simple setup,
DONT use redirect-gateway statement and use client-to-client inside server config...

for this to work you need server directive.

Michael.

[nchall]

I am trying to accomplish this same thing: use OpenVPN instead of Hamachi on all my devices to be assigned a private ip 10.8.x.x whether the device is on the lan or wan. To do this I am using dyndns.org to give the router running the OpenVPN server a static ip.

My problem is that I am able to connect to the VPN server when I am outside the lan, but when I am inside the lan I get an error saying the expected ip is different. It is looking for the dyndns.org external ip, and not the ip that the router running the OpenVPN server has on the lan. So 192.168.1.1 instead of the public wan ip that the dyndns.org service is forwarding to.

When I put "float" which is what is suggested in the log into the client config I am not able to access the internet from the lan.

Clearly I have some issues. Any help would be appreciated.

Thanks.

[Mimiko]

If you really need to use OpenVPN connection when clients are in the lan, then masquerade the port used to connect on the lan's router, ie. if a connection attempt to router's external ip is from internal, then masquerade that packet.

[nchall]

Would you mind giving a little more information on how to do that? I'm not familiar with the term. Thank you.

[Mimiko]

That might be:

Code: Select all

iptables -t nat -A PREROUTING -i eth0<lan interface> -p <udp or tcp> --dport <VPN port> -j DNAT --to-destination <lan's ip>

[nchall]

Thanks. I will try and make sense of that. One other question though:

If the computer running the OpenVPN client is on the wan and the computer I want to connect to is behind the router running the OpenVPN server on the lan, how do they connect? Seems like the computer running the client on the LAN gets a private IP that is separate from the one on the LAN.

Thanks.

[Mimiko]

The client and server may communicate directly by theirs tunnels assigned ip.

[nchall]

But won't the one behind the LAN not get a private IP in this scenario?

Say OpenVPN is assigning 10.8.x.x to the one on the WAN and the router is assigning 192.168.x.x to the one on the LAN. These wouldn't be able to talk, I imagine.

[nchall]

Never received a reply to this. Will running OpenVPN behind the LAN still cause the same problem? Thanks.